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Abstract. It is natural to present subtyping for recursive types coin- 
ductively. However, Gapeyev, Levin and Pierce have noted that there is 
a problem with coinductive definitions of non-trivial transitive inference 
systems: they cannot be “declarative” — as opposed to “algorithmic” or 
syntax-directed — because coinductive inference systems with an explicit 
rule of transitivity are trivial. 

We propose a solution to this problem. By using mixed induction and 
coinduction we define an inference system for subtyping which combines 
the advantages of coinduction with the convenience of an explicit rule of 
transitivity. The definition uses coinduction for the structural rules, and 
induction for the rule of transitivity. We also discuss under what condi- 
tions this technique can be used when defining other inference systems. 
The developments presented in the paper have been mechanised using 
Agda, a dependently typed programming language and proof assistant. 


1 Introduction 

Coinduction and corecursion are useful techniques for defining and reasoning 
about things which are potentially infinite, including streams and other (poten- 
tially) infinite data types (Coquand 1994; Gimenez 1996; Turner 2004), process 
congruences (Milner 1990), congruences for functional programs (Gordon 1999), 
closures (Milner and Tofte 1991), semantics for divergence of programs (Cousot 
and Cousot 1992; Hughes and Moran 1995; Leroy and Grail 2009; Nakata and 
Uustalu 2009) , and subtyping relations for recursive types (Brandt and Henglein 
1998; Gapeyev et al. 2002). 

However, the use of coinduction can lead to values which are “too infinite”. 
For instance, a non-trivial binary relation defined as a coinductive inference sys- 
tem cannot include the rule of transitivity, because a coinductive reading of 
transitivity would imply that every element is related to every other (to see this, 
build an infinite derivation consisting solely of uses of transitivity). As pointed 
out by Gapeyev et al. (2002) this is unfortunate, because without transitivity, 
conceptually unrelated rules may have to be merged or otherwise modified in 
order to ensure that transitivity can be proved as a derived property. Gapeyev 
et al. give the example of subtyping for records, where a dedicated rule of transi- 
tivity ensures that one can give separate rules for depth subtyping (which states 
that a record field type can be replaced by a subtype), width subtyping (which 



states that new fields can be added to a record), and permutation of record 
fields. 

We propose a solution to this problem. The problem stems from a coinductive 
reading of transitivity, and it can be solved by reading the rule of transitivity 
inductively, and only using coinduction where it is necessary. We illustrate this 
idea by using mixed induction and coinduction to define a subtyping relation for 
recursive types; such relations have been studied repeatedly in the past (Amadio 
and Cardelli 1993; Kozen et al. 1995; Brandt and Henglein 1998, and others). 
The rule which defines when a function type is a subtype of another is defined 
coinductively, following Brandt and Henglein (1998) and Gapeyev et al. (2002), 
while the rule of transitivity is defined inductively. 

The technique of mixing induction and coinduction has been known for a long 
time (Park 1980; Barwise 1989; Raffalli 1994; Gimenez 1996; Hensel and Jacobs 
1997; Muller et al. 1999; Barthe et al. 2004; Levy 2006; Bradfield and Stirling 
2007; Abel 2009; Hancock et al. 2009), but we feel that it deserves to be more 
well-known in the programming language community. We also believe that the 
approach to coinduction used in the paper, due to Coquand (1994), deserves more 
attention: following the Curry-Howarcl correspondence the coinductive definition 
and proof principles both take the form of guarded corecursion for (potentially 
indexed) lazy data types. 

The main developments in the paper have been formalised using the depen- 
dency typed, total 1 functional programming language Agda (Norell 2007; Agda 
Team 2010), which provides good support for mixed induction and coinduction 
in the style mentioned above. The source code is at the time of writing available 
to download (Danielsson 2010a). 

The rest of the paper is structured as follows: Section 2 gives an introduc- 
tion to induction and coinduction in the context of Agda. Section 3 defines a 
small language of recursive types, and Sect. 4 defines a subtyping relation for 
this language by viewing the types as potentially infinite trees. Section 5 defines 
an equivalent, declarative subtyping relation using mixed induction and coin- 
duction, and Sect. 6 compares this definition to another equivalent definition, 
given by Brandt and Henglein (1998). Finally Sect. 7 discusses a potential pitfall 
associated with the technique we propose, and Sect. 8 concludes. 


2 Induction and Coinduction 

This section gives a brief introduction to induction and coinduction, with an 
emphasis on how these concepts are realised in Agda. For more formal accounts 
of induction and coinduction see, for instance, the theses of Hagino (1987) and 
Mendler (1988). 


1 Agda is an experimental system. The meta-theory has not been formalised, and the 
type checker has not been proved bug-free, so take phrases such as “total” with a 
grain of salt. 



2.1 Induction 


Let us start with a simple inductive definition. In Agda the type of finite lists 
can be defined as follows: 

data List ( A : Set) : Set where 
[] : List A 

: A — > List A — -> List A 

This states that List A is a type (or Set) with two constructors, [] of type List A 
and of type A — > List A — > List A. The constructor is an infix operator; 
the underscores mark the argument positions. The type List A is isomorphic to 
the least fixpoint fxX. 1 + A x X in the category of types and total functions. 2 

Agda has a termination checker which ensures that all code is terminating (or 
productive, see below). It is assisted by other checkers which ensure that data 
types are strictly positive, and not too large. The termination checker allows 
lists to be destructed using structural recursion: 

map : {A B : Set} — > (A — * B) — > List A — > List B 

map f [] = [] 

map f ( x :: xs) = f x :: map f xs 

The use of braces in {A B : Set } — » . . . means that the two type arguments 
A and B are implicit; they do not need to be given explicitly if Agda can infer 
them. Note that in this context A B is not an application, it is a sequence of 
variables. 


2.2 Coinduction 

If we want to have infinite lists, or streams, we can use the following coinductive 
definition instead (note that constructors, such as can be overloaded in 
Agda): 

data Stream ( A : Set) : Set where 

: A — > oo ( Stream A) — > Stream A 

The type Stream A is isomorphic to the greatest fixpoint vX. A x X. The 
type function oo : Set — » Set marks its argument as being coinductive. It 
is analogous to the suspension type constructors which are sometimes used to 
implement non-strictness in strict languages (Wadler et al. 1998), and comes 
with a force function and a delay constructor: 

^ : {A : Set} — > oo A — > A 
t_ : {A : Set} — > A — > oo A 

2 At the time of writing this is not exactly true in Agda (Danielsson and Altenkirch 
2009), but the difference between List A and the fixpoint is irrelevant for the pur- 
poses of this paper. Similar considerations apply to greatest fixpoints. 



The constructor tf_ is a tightly binding prefix operator. Ordinary function appli- 
cation binds tighter, though. 

Values of coinductive types can be constructed using guarded corecursion 
(Coquand 1994): 

map s : {A B : Set} — > (A — > B) — > Stream A — > Stream B 

map s f (x :: xs) = f x :: ® map g / xs) 

The definition of raap s is accepted by Agda’s termination checker because the 
corecursive call is guarded by without any non-constructor function between 
the left-hand side and the corecursive call. This syntactic notion of guarded- 
ness ensures that corecursive definitions are productive : even if the value being 
constructed is infinite, the next constructor can always be computed in a finite 
number of steps. 

It may also be instructive to see (attempted) definitions which are not ac- 
cepted: 

bad : Stream N nats : Stream N 

bad = zero :: tail bad nats = zero :: S map s sue nats 

Both definitions are rejected because they are not guarded, but only the first 
one is non-productive; nats uniquely specifies the stream of natural numbers, but 
is rejected by the termination checker because it does not satisfy the syntactic 
criterion imposed by Agda. 


2.3 Coinductive Relations 


Let us now consider a coinductively defined relation: stream equality, also known 
as bisimilarity. Two streams are equal if they have identical heads and their tails 
are equal (coinductively): 


^ XS ~ ^ ys 
x :: xs « x :: ys 


(coinductive) 


This inference system can be represented using an indexed data type: 


data {A : Set} : Stream A — » Stream A 
: (x : A) {xs ys : oo ( Stream A)} — > o< 


(^ xs 


Set where 

b ys) 


x :: xs 


x :: ys 


Some remarks on this definition may be useful: 

— The elements of the type xs « ys are proofs witnessing the equality of xs 
and ys. Agda does not make a distinction between proofs and programs, and 
the termination checker ensures productivity of both kinds of definition. 

— Dependent function spaces ((x : A) — > B where x can occur in B) are used 
to set up dependencies of types on values. 



— The first occurrence of the type constructor oo just reflects the fact that 
the second argument to the stream constructor is delayed. The second 
occurrence is necessary to be able to construct infinite equality proofs; if we 
had omitted it the relation would have been empty. 

— We overload the constructor so that it stands both for the “cons” func- 
tion for streams, and for the proof that cons preserves equality. The con- 
structors can be disambiguated based on type information. 

Elements of coinductively defined relations can be constructed using corecur- 
sion. As an example, let us prove the map-iterate property (Gibbons and Hutton 
2005): 

map s / ( iterate f x) ss iterate f {f x). 

The function iterate repeatedly applies a function to a seed element and collects 
the results in a stream: 

iterate f x = x :: N (/ x :: N (/ (/ x) :: . . .)). 

The function is defined corecursively: 

iterate : {A : Set } — > (A — > A) — » A — » Stream A 
iterate f x = x :: ^ iterate / (/ x) 

The map-iterate property can be proved using guarded corecursion (the term 
guarded coinduction could also be used): 

map-iterate : {A : Set } (/ : A — > A) {x : A) — » 
map s / ( iterate f x) ~ iterate f (/ x) 
map-iterate f x = f x :: ® map-iterate f (/ x) 

To see how this proof works, consider how it can be built up step by step (as in 
an interactive Agda session) : 

map-iterate f x = ? 

The type of the goal ? is map s / ( iterate f x) w iterate f (/ x). Agda types 
should always be read up to normalisation, so this is equivalent to 3 

/ x :: # map s / ( b (# iterate f (/ a;))) « / x :: # iterate f (/ (/ a)). 

(Note that normalisation does not involve reduction under tL, and that ^ (tt x) 
reduces to x.) This type matches the result type of the equality constructor 
so we can refine the goal: 

map-iterate f x = f x :: ? 

3 This is a simplification of the current behaviour of Agda. 



The new goal type is 


oo (map s / ( iterate f (/ x)) « iterate / (/ (/ x))), 

so the proof can be finished by an application of the coinductive hypothesis 
under the guarding constructor A|; v 

map-iteratef x = f x :: ® map-iterate f (/ x) 


2.4 Mixed Induction and Coinduction 

The types above are either inductive or coinductive. Let us now discuss a type 
which uses both induction and coinduction. Hancock et al. (2009) define a lan- 
guage of stream processors, representing functions of type Stream A — > Stream B, 
using a nested fixpoint: vY.pX. B x Y + (A — > X). We can represent this fix- 
point in Agda as follows: 

data SP (A B : Set) : Set where 
put : B -» oo (SP A B) -4 SP A B 
get : (A —> SP A B) -* SP A B 

The stream processor put b sp outputs 6, and continues processing according 
to sp. The processor get / reads one element a from the input stream, and 
continues processing according to f a. In the case of put the recursive argument 
is coinductive, so it is fine to output an infinite number of elements, whereas in 
the case of get the recursive argument is inductive, which means that one can 
only read a finite number of elements before writing the next one. This ensures 
that the output stream can be generated productively. 

We can implement a simple stream processor which copies the input to the 
output as follows: 

copy : {A : Set} — > SP A A 
copy = get (A a — > put a (N copy)) 

This definition is guarded. Note that copy contains an infinite number of get 
constructors. This is fine, even though get’s argument is inductive, because there 
is never a stretch of infinitely many get constructors without an intervening 
delay constructor (tL). On the other hand, the following definition of a sink is 
not guarded, and is not accepted by Agda: 

sink : {A B : Set} — > SP A B 
sink = get (A _ — > sink) 

As another example we can compute the semantics of a stream processor: 

[_] : {A B : Set} — > SP A B — * Stream A — > Stream B 
[ put b sp} as = b :: 8 ([ ^ sp ] as) 

[get / ] (a :: as) = [/a] ( b as) 



([_] is a mixfix operator.) This definition uses a lexicographic combination of 
guarded corecursion and higher-order structural recursion (see Sect. 2.5). In the 
first clause the corecursive call is guarded. In the second clause it “preserves 
guardedness” (it takes place under zero coinductive constructors rather than 
one), and the first argument is structurally smaller. 

Note that [_] could not have been implemented if SP A B had been defined 
purely coinductively (because then sink could be implemented with B equal to 
the empty type). By using both induction and coinduction in the definition we 
rule out certain stream processors which would otherwise have been accepted, 
and in return we can implement functions like [_]. 

2.5 A Criterion for Totality 

Let us now make things more precise by giving a more detailed explanation 
of Agda’s criterion for accepting a function as being total. The results in the 
paper do not depend on the exact criterion used by Agda, so we only give a 
conservative approximation of what is currently implemented. The description 
below is based on the termination checker foetus (Abel and Altenkirch 2002), 
extended with support for guarded coinduction based on an idea due to Andreas 
Abel (personal communication). 

First we collect some information about the program. For every left-hand 
side f pi ... p m and function call g e± ... e n in the corresponding right-hand 
side the following information is recorded: 

Argument structure For every pair ( Pi,ej ) it is noted if the argument e 3 
is structurally strictly smaller (denoted by <) or equal to (=) the pattern 
Pi . If neither case applies, then we use the notation ?. Note that x is not 
structurally smaller than x, and that f x is strictly smaller than c /, for 
an inductive constructor c. 

Guardedness It is also noted whether the call is guarded by constructors, at 
least one of which is coinductive (<); or whether guardedness is preserved, 

i.e. if the call is guarded by inductive constructors (=). 

The next step is to combine the information about individual calls into infor- 
mation about all the call paths from one function to itself. We use the notation 
( g | a\ . . . On) to describe the information computed for a call path; here g is 
the guardedness information, and a; describes how the z-th argument is changed. 
In the case of the function [_] from Sect. 2.4 we get that there are three kinds 
of call paths: 

1. (< | = = ? =), which corresponds to the first recursive call; 

2. (= | = = <?), which corresponds to the second recursive call; and 

3. (< | = = ? ? ) for call paths which involve both recursive calls. 

Finally we can give the criterion for totality: a function is accepted as total if 
there is some lexicographic combination of the components for which every call 
path is strictly decreasing. In the case of [_] it suffices to combine the guarded- 
ness with the information about the third argument (the stream processor). 



As noted by Danielsson and Altenkirch (2009, Section 7.1) the criterion above 
works best if all fixpoints have the form vY.^X. F X Y (for suitable values of 
F); we have not yet found a good way to incorporate fixpoints of the form 
fiX.uY. F X Y. However, this issue does not affect the examples in this paper. 

2.6 Relations Using Mixed Induction and Coinduction 

As a final example we define a relation using mixed induction and coinduction. 
Capretta (2005) defines the partiality monad, which can be used to represent 
potentially non-terminating computations, as follows: 

data (A : Set) : Set where 
return : A — > A v 

step : oo (A ") — > A v 

The constructor return returns a result, and step postpones a computation. Non- 
termination is represented as an infinitely postponed computation: 

J_ : {A : Set} -> A v 
_L = step (tt _L) 

A natural definition of equality for partial computations is weak bisimilarity 
(viewing step as a silent transition): 4 


data 

: A" —> A 

V 

> Set where 


return : 



return v = 

return v 

step : 

OO (^ X = ^ 

y) 

-> step x = 

step y 

step 1 ' : 

X S* b 

y 

->■ x = 

step y 

step 1 : 


y 

-r step X = 

y 


This is basically the congruence generated by return and step, but allowing for 
finite differences in delay. Note that the requirement of finite differences in delay 
is captured by the use of induction for step 1 ' and step 1 , while the use of coinduction 
for step is necessary to be able to prove that the relation is reflexive. 

3 Recursive Types 

Brandt and Henglein (1998) define the following language of recursive types: 

cr, r ::= _L | T | X \ a — > r | /. iX . a — > r 

Here A. and T are the least and greatest types, respectively, A is a variable, 
u — > t is a function type, and /. iX . a —> t is a fixpoint, with bound variable X . 

4 In order to reduce clutter the declarations of implicit arguments have been omitted 
in the remainder of the paper. 



(The body of the fixpoint is required to be a function type, so types like ^ iX.X 
are ruled out.) The intention is that a fixpoint [iX.cr —> r should be equivalent 
to its unfolding (a —> t)[X := /. iX . a —> t\. It would be unproblematic to extend 
the language with other type constructors, such as products and sums. 

The language above can be represented in Agda as follows: 

data Ty (n : N) : Set where 


JL 

: Ty n 



T 

: Ty n 



var 

: Fin n — > Ty 

n 


— >_ 

: Ty n 

> Ty n 

-> Ty n 


: Ty (1 + n) - 

> Ty (1 + n) - 

-> Ty n 


Here variables are represented using de Bruijn indices: Ty n represents types 
with at most n free variables, and Fin n is a type representing the first n 
natural numbers. Substitution can also be defined; a [ t } is the capture-avoiding 
substitution of r for variable 0 in a: 

-[-] : Ty (1 + n) -> Ty n -> Ty n 

The following function unfolds a fixpoint one step: 

unfold(jj,-—>-) : Ty (1 + n) — > Ty (1 + n) — > Ty n 
unfold(fi a —> t ) = (a — > t) [ y, a — > t] 

(Note that _[_] and unfold{n-—> _) are all mixfix operators which take 

two arguments.) 

4 Subtyping via Trees 

A natural definition of subtyping goes via subtyping for potentially infinite trees 
(Gapeyev et al. 2002): 

data Tree (n : N) : Set where 


JL 

: Tree n 


T 

: Tree n 


var 

: Fin n — > Tree n 


_ — >_ 

: oo (Tree n) — > oo (Tree n) - 

-> Tree n 


The subtyping relation for trees can be given coinductively as follows: 

data _^Tree- : Tree n — ■» Tree n — > Set where 
T : -L ^Tree T 

T : (7 ^Tree T 

: var X ^Tree var x 

- : OO ( b Tl ^Tree b £7l) -> 00 ( b CT 2 ^Tree b T 2 ) -> 

(Ji — > <J‘2 ^Tree T\ — i > T 2 


var 




Fig. 1 . The first levels of the infinite trees corresponding to the types yX. X — > X and 
yX. {X -> _L) -> T. 


Note the contravariant treatment of the codomain of the function space. Note 
also that the constructors of Tree are overloaded — repeatedly — in order to reduce 
clutter. 

The semantics of a recursive type can be given in terms of its unfolding as a 
potentially infinite tree: 


[-1 : 

Ty n 

— » Tree n 


I-L] 


= _L 


IT] 


= T 


[var. 

x ] 

= var x 


I 

-> r] 

= # I^1 

-> H [ T ] 

[/rcr 

-> r ] 

= H°[x} 

] — > tt [[ T- [ X 



where \ 

= /i a —> r 


The subtyping relation for types can then be defined by combining _^Tree- and 

I-J: 

_^Type- : Ty n -» Ty n -» Set 
cr ^Type r = [ a ] ^Tree [ T ] 

As a simple example, consider the following two types, a = yX. X —> X 
and t = \xX. (X — > _L) — > T: 

<r : Ty 0 t : Ty 0 

<7 = i-i var zero — > var zero r = // (var zero — > _L) — > T 

The first few levels of the infinite trees corresponding to these types can be seen 
in Fig. 1. It is straightforward to show that a is a subtype of r using a corecursive 
proof: 

CT^T : (7 ^Type T 

a^r = tl (tt cr^r — > tt J_) — > $ T 


(Note that cr^r is an identifier and not a compound expression; almost any 
character string which does not contain whitespace can be used as an identifier.) 



Amadio and Cardelli (1993) also define subtyping for recursive types by going 
via potentially infinite trees, but they define a subtyping relation inductively on 
finite trees, and state that an infinite tree cr is a subtype of another tree r 
when every finite approximation (of a certain kind) of a is a subtype of the 
corresponding approximation of r. It is easy to show that this definition, as 
adapted by Brandt and Henglein (1998), is equivalent to the one given above. 
One direction of the proof uses induction on the depth of approximation, and 
the other constructs elements of cr ^ Type T corecursively; see the code which 
accompanies the paper (Danielsson 2010a). 


5 Subtyping Using Mixed Induction and Coinduction 


Subtyping can also be defined directly, without going via trees. The following 
definition is inspired by one given by Brandt and Henglein (1998), see Sect. 6: 

data : Ty n — » Ty n — > Set where 
_L : _L < r 

T : cr < T 

: oo (ti ^ cr i) — > oo (cr 2 ^ r 2 ) — *■ cr 1 -> a 2 ^ n -> r 2 
unfold : fi n — > r 2 ^ unfold(p,T\ — > r 2 ) 
fold : unfold(fj,Ti — > r 2 ) ^ fi n — < > r 2 

refl : r ^ r 

trans : n < r 2 -> r 2 < r 3 -> t x < r 3 

Note that the structural rules (_L, T, i >_) are defined coinductively, while the 
other rules, most importantly trans, are defined inductively. Note also that the 
inclusion of refl and trans is essential; if either constructor is removed we get a 
different relation. 

Now, if we can prove that the relation is equivalent to _^Type- (and thus 
also equivalent to Amadio and Cardelli’s relation) , then we have showed what we 
set out to show: that coinduction and the rule of transitivity can be combined. We 
can prove completeness by a simple application of guarded corecursion (omitted 
here) : 


complete : a ^Type r — ■> cr ^ r 

The soundness proof is a little more tricky. The following lemmas are easy to 
prove: 


unfold Type 
fold Type 
re flT ype 
tvCLTlS Type 


M T\ T 2 ^Type Unfoldljl T\ -» T 2 ) 

Unfold(pL T\ > T'2 ) ^Type M T\ -o T 2 
^Type T 

T\ ^Type T 2 — » T 2 ^Type T3 — » T\ ^Type^ 


Using these lemmas one might think that the following should be accepted as a 
soundness proof: 



sound : a ^ r — > er ^Type t 
sound _L = _L 

sound T = T 

sound — > ct 2 ^t 2 ) = 

sound unfold = 

sound fold = 

sound refl = 

sound (trans 7 i^t 2 72^73) = 


ft sound — > ft sound a 2 ^T 2 ) 

unfold Type 

fold Type 

Tofl Type 

transType ( sound t\^t 2 ) ( sound 73 ^73) 


However, consider the case for trans. The arguments to the recursive calls are 
structurally smaller than the inputs, but trans Type is not a constructor, so guard- 
edness is not preserved. The proof is productive (given a suitable definition of 
trans Type), but Agda’s termination checker cannot see this. 

In the absence of improved termination checking for Agda we provide a 
workaround, using a technique described by Danielsson (2010b). If trans T ype 
had been a constructor then the definition of sound would have been accepted, 
and this observation can be used to rescue the proof. First we define a variant 
of _^Tree- which includes an extra inductive constructor, trans: 


data _^TreeP- : Tree n 


Tree n 


Set where 


T 

T 

var 


trans 


-L ^TreeP T 

<7 ^TreeP T 

var x ^TreeP var x 

00 ( b Ti <TreeP ^ <7 i) 

<7 1 — 1 > 02 ^TreeP Tl — > T 2 
Tl ^TreeP 72 — » T2 ^TreeP 73 


00 (^ Cr 2 ^TreeP ^ T 2 ) - 
Tl ^TreeP 73 


The letter P stands for “program” ; this type defines a small language of equality 
proof programs. It is easy to turn proofs into proof programs corecursively: 


— ^ : <7 ^Tree 7" 


<7 ^TreeP T 


We can now write a guarded proof program which “proves” soundness: 


sound P : <7 < r — > [ a ] <Ti-eeP 
sounds J_ = 

sounds T = 

sounds (ti^ui — > <j 2 ^t 2 ) = 

soundp unfold = 

sounds fold = 

sound p refl = 

sounds (trans ri^T2 73^73) = 


T 

T 

ft soundp (^ — > ft soundp (^ <72^73) 

r unfold Type n 
r foldType n 

r re fl Type n 

trans ( soundp ri^r 2 ) ( soundp 73^73) 


If we can also find a way to turn proof programs into proofs, productively, 
then we are done. We start by defining a type of weak head normal forms 
(WHNFs) for the proof programs: 



data 

^ TreeW 

: Tree n — » Tree n - 

-> Set where 

A 

: _L 

^ TreeW T 


T 

: a 

^ TreeW T 


var 

: var x 

^ TreeW var X 



^ Pi ^TreeP ^ CT 1 


^ C 2 ^TreeP ^ P2 


Cl — 1 > C 2 ^TreeW T 1 “ > ^2 


Note that the arguments to _— >_ are programs, not WHNFs. One can prove by 
simple case analysis that -^TreeW- is transitive: 


irons Tree W : r l ^TreeW r 2 ~ * T 2 ^TreeW r 3 ~ > T 1 ^TreeW r 3 


From this result it follows by structural recursion that programs can be turned 
into WHNFs: 

whnf : <J ^TreeP T — ^ (7 ^TreeW T 
whnf _L = _L 

whnf T = T 

whnf var = var 

whnf -» cr 2 <r 2 ) = b pi^cti -> b cr 2 ^r 2 

w/m/ (transri^r 2 t 2 ^T3) = irons TreeW ( whnf ti^t 2 ) (whnf r 2 ^T3) 

The following mutually recursive functions then turn proof programs into “ac- 
tual” proofs by using the whnf function repeatedly: 


I-Jw ’ 

C ^ TreeW T ~ 

& ^Tree 'T 

[J- 

Iw 

= _L 

[T 

Iw 

= T 

[var 

Iw 

= var 

[ Pl<Ci 

— > cr 2 <T 2 ] w 

= # [ Pl<OT ] 


C2^T2 ]p 


[— Ip : C ^TreeP P ' CT ^Tree P 

[ c<p ] P = [ whnf a^r ] w 

Note that these functions are guarded and hence productive. Finally we get the 
soundness proof: 


sound : er ^ r — > er ^Type T 
sound a^r = [ soundp er^r ] p 


6 Inductive Axiomatisation of Subtyping 

Brandt and Henglein (1998) do not define subtyping using mixed induction and 
coinduction, as in Sect. 5, but using an inductive encoding of coinduction. Their 
sub typing relation is ternary: A b er ^ r means that er is a subtype of r given 
the assumptions in A. An assumption (a hypothesis) is simply a pair of types: 



data Hyp (n : N) : Set where 
_<_ : Ty n — ► Ty n — > Hyp n 

The subtyping relation is defined as follows: 


data _b_ 
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Here encodes list membership. Note that coinduction is encoded in the <>_ 
rule by inclusion of the consequent in the lists of assumptions of the antecedents. 

Brandt and Henglein prove that their relation (with an empty list of assump- 
tions) is equivalent to Amadio and Cardelli’s. Their proof is considerably more 
complicated than the proof outlined above which shows that ^ is equivalent 
to Amadio and Cardelli’s definition, but as part of the proof they show that 
subtyping is decidable. By composing the two equivalence proofs we get that 
sub typing as defined in Sect. 5 is also decidable. 

Brandt and Henglein use a classical argument to show that their algorithm 
terminates, so it is not entirely obvious that it can be implemented in a total, 
constructive type theory like Agda. However, we have adapted the algorithm to 
this setting: 

: (a t : Ty n) — > Dec ([] h c ^ r) 

A value in Dec A is either a value in A, or a proof showing that no such value 
exists, so this decision procedure does not merely say “yes” or “no”, it backs 
up its verdict with solid evidence. Details of the implementation of are 

available in the code accompanying the paper (Danielsson 2010a). 

We know that _b_^_ is equivalent to because both relations are equiv- 
alent to Amadio and Cardelli’s. However, it can still be instructive to see a direct 
proof of soundness of _b_^_ with respect to ^ . The proof below uses a cyclic 
(but productive) proof to turn the inductive encoding of coinduction used in 
_b_s^_ into the “actual” coinduction used in 

To state soundness the type All is used; All P xs means that all elements in 
xs satisfy P: 

data All {P : A — > Set ) : List A — > Set where 
[] :AUP[] 

: P x — > All P xs 


All P (x :: xs) 



The soundness proof shows that if A h a ^ r, where all pairs a' < t' in A 
satisfy a' ^ t', then a ^ r: 

Valid : {Ty n — > T?/ n — > Set) — > Hyp n — » Set 
Valid _ 7 ?_ (ui < <72) = a\ R a 2 

sound : All {Valid i-^lhcr^r-^cr^T 

The interesting cases of sound are the ones for trans, hyp and Transitivity 

can be handled recursively, hypotheses can be looked up in the list of valid 
assumptions (using lookup : All P xs — > x £ xs — » P x), and function spaces 
can be handled by defining a cyclic proof: 

sound valid (trans T1XT2 72^73) = trans ( sound valid ti^t 2 ) 

{sound valid 12^73) 

sound valid (hyp h) = lookup valid h 

sound valid (ri^oy — > a 2 ^r 2 ) = proof 

where proof = ft sound {proof :: valid) Ti^ay — > 
ft sound {proof :: valid) a 2 ^r 2 

Note that the last two calls to sound extend the list of valid assumptions with 
the proof currently being defined. 

The definition of proof above is not guarded, but it would be if sound were a 
constructor. We use the technique from Sect. 5 to make the proof guarded. The 
program and WHNF types can be defined mutually as follows: 


data _^p_ : Ty n — > Ty n —> Set where 

sound : All {Valid _^ w _) d-)4hff^r-4(T^pr 
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The cases of sound listed above are now part of a function sounds which is used 
by whnf to interpret sound: 

sounds : All ( Valid _^vv-) A-^A\~a^r^a r 

sounds valid (trans tl^ 72 72^73) = trans {sounds valid ti^t 2 ) 

{sound w valid 72^73) 

soundyj valid (hyp h) = lookup valid h 

soundyj valid (ri^ay — < > 02^72) = proof 

where proof = ft sound {proof :: valid) t\ ^ cr-| — > 
ft sound {proof :: valid) <72^72 
whnf : a r — » er r 
whnf (sound valid <t^t) = sounds valid 



Note that proof is now guarded. For the definitions of [_] w , [_] P and sound , 
see the accompanying code (Danielsson 2010a). 

We have not found a proof of completeness of _b_^_ with respect to 
which does not use a decision procedure for subtyping. This is not entirely sur- 
prising: such a completeness proof must turn a potentially infinite proof of a ^ r 
into a finite proof of [ ] b a ^ r, so some “trick” is necessary. With a suitably 
formulated decision procedure at hand the trick is simple. We have implemented 
a decision procedure dec which gives either a proof of [] b a ^ r, or a proof 
which shows that cr ^ r is impossible. In the first case we are done, and in 
the second case a contradiction can be derived. (The decision procedure dec, to- 
gether with the proof of soundness of is used to implement the decision 

procedure mentioned above.) 

7 Postulating an Admissible Rule May Not Be Sound 

Given an inductively defined inference system one can add a new rule correspond- 
ing to an admissible property without changing the set of derivable properties. It 
is easy to prove this statement by defining functions which translate between the 
two inference systems. Translating derivations from the old to the new inference 
system is trivial. When translating in the other direction one can replace all oc- 
currences of the new rule with instances of the proof of admissibility; this process 
can be implemented using recursion over the structure of the input derivation. 

However, when coinduction comes into the picture this property no longer 
holds (de Vries 2009). The proof given above breaks down because there is no 
guarantee that the second translation can be implemented in a productive way. 
The problem is that, although the admissible rule has a proof, this proof may 
not be sufficiently “contractive” (for instance, the proof may replace coinductive 
rules in the input derivation with inductive rules in the output derivation). 

The following example illustrates the problem. Recall the definition of the 
partiality monad in Sect. 2.6. One can prove that the equality _=_ is an equiv- 
alence relation, and that it is not trivial (assuming that the result type A is 
inhabited). Let us now add transitivity as an inductive rule: 

data \ A v — > A v — » Set where 
trans \ x = y-^y = z-^x = z 

Given this new constructor we can prove, using guarded coinduction, that the 
relation is trivial: 

trivial : (x y : A ") — » x = y 
trivial x y — trans (step 1 ' ( refl x )) 

(trans (step (t* trivial x y)) 

(step 1 ( refl y))) 

The proof uses the following steps: x = step (# x) = step (N y) = y. (The 
function refl is a proof of rcflexivity.) 



This problem does not affect the definition of subtyping given above, which 
has been proved to be equivalent to other definitions from the literature. How- 
ever, it means that one should exercise caution when defining relations using 
mixed induction and coinduction, and avoid relying on results or intuitions which 
are only valid in the inductive case. Note that the problem with is closely 
related to the problem of weak bisimulation up to weak bisimilarity (Sangiorgi 
and Milner 1992); presumably some of the techniques which have been developed 
to address the latter problem are also applicable to the former. 

There are actually several different ways in which one can close a coinduc- 
tively defined binary relation 

data : A — * A — » Set where 

under transitivity. We list three: 

1. One can include transitivity as a coinductive constructor: 

data : A — > A — » Set where 

trans : oo (x ~ y) — > oo (y ~ z) — » x ~ z 

This amounts to defining the largest relation which is closed under transi- 
tivity, and is not very useful, as pointed out in the introduction. 

2. One can define the least relation which includes and is closed under 
transitivity: 

data : A — > A — » Set where 
include : x ~ y — > x ~ 7 y 
trans : x y — » y z — » x z 

This “solves” the problem outlined above, because if is transitive, then 
and are equivalent. However, in any given proof trans can only be 
used a finite number of times, and this can be a rather severe restriction. 
For instance, the definition of in Sect. 5 would not have been correct if 
trans had been defined using this method. 

3. Finally one can include transitivity as an inductive constructor, like in the 
definition of 

data : A — » A — > Set where 

trans : x ~ y — > y ~ z — > x ~ z 

This definition often gives a more useful notion of transitivity than the one 
above, because transitivity can be used anywhere in a proof, infinitely often, 
as long as there is never a stretch of infinitely many transitivity constructors 
without any intervening coinductive constructor. However, this notion of 
transitivity can sometimes be too strong, as illustrated for the partiality 
monad equality _=_ above: the “infinitely transitive closure” is sometimes 
the trivial relation. 



8 Conclusions 


We have showed that coinduction can be usefully combined with the rule of 
transitivity, and discussed under what conditions the technique is applicable. 
We have also defined subtyping for recursive types in a new way, and compared 
this definition to a similar axiomatisation given by Brandt and Henglein (1998). 
Brandt and Henglein note that their inductive encoding of coinduction seems 
to be closely related to guarded coinduction, but leave a precise comparison to 
future work. This paper provides a precise comparison, albeit not for the general 
case, but only for a particular example (the subtyping relations given in Sects. 5 
and 6). 

It is our hope that this paper provides a compelling example of the use 
of mixed induction and coinduction. We have found this technique useful in 
a number of situations (Danielsson and Altenkirch 2009), and encourage more 
programming language researchers — as well as programmers interested in guar- 
anteed totality — to become familiar with it. 
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